Digital Identity (IAM, CIAM, IDAM, IDaaS) Advisory Services
Having a trusted identity expert is key to identifying and understanding your business requirements and maintaining your responsibility to protect customer and citizen data. Our advisory service offers you a strategic view of your identity capabilities for staff, partners or citizens, supporting appropriate access to digital services.
Features
- Federated Identity Management (FIdM)
- Extensible User Directory
- Self-Sovereign Identity
- Authentication Broker Service
- Multi-Factor Authentication (MFA)
- Risk-Based & Behavioural Authentication
- RBAC (Role-Based Access Control)
- Identity & Access Management (IAM)
- Identity Verification
- Audit, Reporting & Business Intelligence (BI)
Benefits
- Reduce time to provision users
- Increase security of user data
- Reduce time to on-board applications
- Secure applications against credential compromise
- Achieve / increase identity assurance
- Reduce risk of fraud, malicious error
- Enable self-sovereign identity
Pricing
£10,000 to £5,000,000 a unit
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
9 4 2 0 4 9 1 5 6 1 5 9 6 1 0
Contact
CONDATIS GROUP LIMITED
Cameron Bell
Telephone: 0800 538 5533
Email: sales@condatis.com
Service scope
- Software add-on or extension
- Yes, but can also be used as a standalone service
- What software services is the service an extension to
-
Condatis Credential Gateway – simplifying decentralized identity orchestration
Condatis Identity Solutions - Cloud deployment model
-
- Public cloud
- Private cloud
- Service constraints
- No - Condatis IAM platform is delivered via public cloud services, with constraints per that cloud and cloud service(s).
- System requirements
-
- Access to cloud services (at an organisational and procurement level)
- Appropriate cloud subscriptions supporting set-up and running
- Appropriate connectivity (internet access)
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Dependent on customer requirements, notification, logging and responses can be immediate.
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
-
1)Very High: A security breach whereby a third party gains access to personal data or an individual’s account may be compromised. A security alert that is categorised as being critical to data security. In the event of a security breach, the technician will take immediate action to limit further unauthorised access to the Infrastructure Applications. Investigative work to provide a resolution will then commence during Service Hours • Response: 30 minutes • Resolution: 8 service hours
2)High - An error that renders the software inoperative or causes the software to fail catastrophically. • Response: 1 service hour • Resolution: 16 service hours
3)Normal - An error that affects performance of the software and significantly degrades the use of the software. A security alert that is categorised as being medium severity. • Response: 1 service hour • Resolution: Best efforts to obtain resolution in 40 service hours
4)Low - An error that affects performance of the Infrastructure Applications but does not significantly degrade the use of the service. A security alert that is categorised as being low severity. • Response: 1 service hour • Resolution: Best efforts to put resolution in the next software release
Fees as per pricing doc - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
On-boarding activities could include:
• IAM on-boarding, includes setting up IAM platform in an organisation’s higher environments (e.g., Pre-Prod, UAT, Production) and would typically be delivered during deploy phase
• Application on-boarding, includes integrating relying party applications / services to the IAM platform and would typically be delivered during deploy phase - Service documentation
- Yes
- Documentation formats
-
- HTML
- ODF
- End-of-contract data extraction
- Data stored in the platform can be extracted for the purposes of migration / deletion. This work could be undertaken by the authority with required support from Condatis.
- End-of-contract process
-
Off-boarding could be delivered entirely by an organisation, and Condatis encourages organisations to take ownership of its IAM solution, however recognising this is not always practical, Condatis can support a number of off-boarding activities:
• Application off-boarding, includes removing an application / service from the IAM platform and would typically be delivered under SLA
• Platform retirement, includes work to plan and achieve moving from Condatis platform to a new solution and would include aspects such as user migration. Depending on the level of support required, this may be delivered under SLA
Using the service
- Web browser interface
- No
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- Web experience is via adaptive templates. Experience is ultimately dependant on user's device, operating system and browser of choice.
- Service interface
- Yes
- User support accessibility
- WCAG 2.1 AA or EN 301 549
- Description of service interface
- Interface via web front-end or API(s)
- Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
- Commissioning authority generally specifies and carries out accessibility testing, which Condatis will support.
- API
- Yes
- What users can and can't do using the API
-
Platform API functionality includes:
- CRUD operations on users
- integration with external data sources, e.g., attribute providers (databases) - API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- HTML
- ODF
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
Commissioning authority would specify:
- use of identity providers (IdPs)
- user of attribute providers (AtPs)
- use of multi-factor authentication (MFA)
- authentication journey
- front-end experience
- BI requirements
- Audit requirements
Scaling
- Independence of resources
- Platform autoscales according to load.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
Metrics include:
- Service uptime (downtime)
- Active users over period
- Active users at moment in time
- Authentication journey success (fail) - Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- User control over data storage and processing locations
- No
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least every 6 months
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Data stored in the platform can be extracted for the purposes of migration / deletion. This work could be undertaken by the authority with required support from Condatis.
- Data export formats
-
- CSV
- ODF
- Other
- Other data export formats
-
- Directory schema
- Database schema
- Data import formats
-
- CSV
- ODF
- Other
- Other data import formats
-
- Directory schema
- Database schema
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- Condatis SLA(s) guarantee service availability. This is backed by cloud provider's own SLA(s). Condatis offers service credits where SLA availability is not met.
- Approach to resilience
- Azure Availability Zones enables deployment of the application across multiple data centers, protecting them against outages in any one Azure data center. Mechanisms such as load balancing, DDos protection, application service clustering and redundant and geo-redundant storage can be configured to deliver the required level of high availability. Azure auto-scaling of computing resources will ensure that the solution is resilient to peak demands.
- Outage reporting
-
Outage reporting per SLA and can include:
- dashboard
- email alerting
- telephone alerting
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Username or password
- Access restrictions in management interfaces and support channels
- Access to management interfaces is restricted by username and password, and additional factors as may be required, or authority's own access technology (e.g., if access is federated).
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Centre for Assessment Limited (CfA)
- ISO/IEC 27001 accreditation date
- 25/02/2022
- What the ISO/IEC 27001 doesn’t cover
- Condatis' ISO 27001 statement of applicability covers all the controls defined by ISO 27001 with the exception of 14.2.7 Outsourced development and 11.1.6 Delivery and Loading Areas because they do not apply to Condatis.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- No
- Cyber essentials plus
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
-
Regular internal and external audit and management review meeting ensure the following are followed. Information security manager reports to CEO
Information Security Objectives
Information Classification Policy
Information Handling Policy
Document Control Policy
Clear Desk and Clear Screen Policy
Secure Development Policy
Mobile Computing and Remote Working Policy
Access Control Policy
Acceptable Use Policy
Cryptographic Policy
Anti-virus and anti-malware policy
Software Installation Policy
Supplier Security & Quality Policy
Business Continuity Management Policy
Network Security Policy
Secure Systems Engineering Policy
Media Destruction Policy
Communications Policy
Password Policy
Security Updates policy
Capacity Management Policy
Hardware Disposal Policy
Data Retention Policy
Privileged Utility Programs Policy
IPR Management Policy
Guest Control Policy
Condatis Backup Policy
Sustainability Policy
Security incident management procedure
Employees departure and arrival processes
Change management procedure
Risk assessment methodology
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- We run an agile development lifecycle where feature changes are defined by PBIs (product backlog items). Developed code is version controlled as is passed through a gated release process that is an intrinsic part of the develop, build & deploy DevOps cycle. Release builds (software components deployed to Azure assets) are strictly controlled within the Azure DevOps platform and cascade from development to test and pre-production environments before final deployment to production. Changes at organisational level undergo an ITIL change management process, where the CAB (change authority board) evaluates impact and implications for proposed changes before they are authorised.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Computing endpoints are regularly scanned for vulnerable software, Windows updates are regularly applied, malware protection software is installed. Security advisories are regularly monitored and actioned accordingly. The solution deployment will typically include within the build pipeline processes for checking for vulnerabilities in code (Secure Code Scan) and in external software components used (Dependency Checker). Once the solution is deployed within the Azure cloud infrastructure, the use of Defender For Cloud will continually assess the security posture and be monitored for any relevant risk mitigation actions.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Condatis maintains an ISO27001 accredited protective monitoring process, available on request. Potential compromises are assigned the highest priority under Sitekit's SLA (Critical) and immediately investigated.
- Incident management type
- Supplier-defined controls
- Incident management approach
- We operate an ITIL-aligned support desk ticketing solution that is able to track the incident lifecycle stages of logging, triage, categorisation, prioritisation, analysis, resolution and post-incident review. Incidents are reported via alerts or by users through email, phone or portal channels. Incidents can transition to problem tickets where root cause and subsequent full resolution can be established. An incident playbook is maintained for common incident types with respective responses, along with knowledge base accessible via customer portal. Incident reports with timelines, impact and root cause analysis will be provided as part of post-incident engagement with customer.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Social Value
- Fighting climate change
-
Fighting climate change
As with most companies over the Covid lock-down period our engagements, workshops and on-boarding now are standardised around teams or zoom calls including demos, white boarding and retrospectives. For the period covered by G cloud 13 we will continue this practice even though the restrictions have been removed. This will reduce our travel company wide by 95% and thus our carbon footprint. We will also use any Gcloud contracts to assist us in achieving ISO 14001 the environmental standard which will in turn involve us vetting our suppliers and partners over their environmental impact. As some the of technologies that we are involved in use distributed ledgers, this will have a significant influence on suppliers, partners and customers. - Covid-19 recovery
-
Covid-19 recovery
During COVID-19, we moved to a fully remote office, allowing all staff to continue in employment from their own home while still being able to fulfil all the obligations to our customers and complete contracts on time and to standard. We now work in a hybrid model where staff chose to work from home or the office.
Condatis is able to support those shielding or impacted by Covid by continuing to provide full time remote working for those that want/require it. We will also continue to provide a home office set up. This will allow Condatis to provide valuable employment for those affected or shielding from Covid while still being able to deliver services as per the contract and customer requirements.
Condatis offer physical and mental health courses to staff, including Mental Health First Aid, Mental Health Awareness for Manager, Resilience Training and First Aid at Work. In having well trained and aware staff working on a contract, this will enable a proactive approach to Mental Health and a quick response on Physical Health. In turn this currently reduces and will continue to reduce the demand on the health and care services. - Tackling economic inequality
-
Tackling economic inequality
Condatis is an employer that advocates and educates other employers to support apprentice programmes. We have presented to over 100 companies about the benefits of having apprentices as part of the Scottish Apprenticeship week.
Condatis was the first company in Scotland to provide a fully virtual Foundation Apprenticeship programme in Software Development, targeting remote high schools based in the Highlands and Islands. We want all young adults to receive an equal opportunity to become an apprentice regardless of their location and we currently have six Foundation Apprentices.
We also support Modern Apprentices, of which two apprentices continue to be employed by us today.
Our Apprenticeship programmes create employment and training opportunities. For those in the Software Development programme, we are providing training opportunities within an industry with a skills shortage. For one of the Modern Apprentices, this was an opportunity for employment within a deprived area.
In the delivery of a project, we anticipate including apprentices on projects with their mentors. We support providing further training for individuals on a project to close a skills gaps or attain relevant qualifications. - Equal opportunity
-
Equal opportunity
Condatis treats people equally and individuals are not disadvantaged by prejudices or bias. We ensure that recruitment, selection, training, development and promotion procedures result in no job applicant or employee receiving less favourable treatment because of a protected characteristic. Our objective is to ensure that individuals are treated on the basis of their relevant aptitudes, skills and abilities.
We invest in women in technology by supporting female Apprentices in Software Development and Human Resources. We support employees in deprived areas to attain relevant professional qualifications in their field, to enable them to have a successful career. We have attended, and had key note speakers, at recruitment events for individuals that identify as a woman.
We will continue to provide training and promotion opportunities to all staff, regardless of a protected characteristic. We will continue to offer the living wage as a minimum. If time and funding permits Condatis plan to champion women in technology by presenting at Edinburgh, and ideally wider, based sessions - Wellbeing
-
Wellbeing
At Condatis, we have a team of Mental Health First Aiders, who are available to support staff in need and support various initiatives through a Well-being Hub. The Hub provides suggestions to promote better well-being, such as helping others and staying active. We offer fitness classes to employees to promote their physical health.
We promote well being in the workplace for all staff to inspire positive working environments and prevent stress. This allows for the individual, the organisation and the project to thrive.
As part of our own supplier assessments and we ensure that any third party supplier need to meet our own ethical standard which includes their treatment of their workforce. We do the same for prospective customers
Pricing
- Price
- £10,000 to £5,000,000 a unit
- Discount for educational organisations
- No
- Free trial available
- No